ICANN/GNSO GNSO Email List Archives

[ga]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [ga] Apple Still Has Not Patched the DNS Hole

  • To: patrick@xxxxxxxxxxxxxx, ICANN Admin supp Manager Karen Lettner <karen.lettner@xxxxxxxxx>, icann board <icann-board@xxxxxxxxx>, ICANN Dan Halloran <halloran@xxxxxxxxx>, ICANN Kim Davies <kim.davies@xxxxxxxxx>, DHS Julie Myers <Julie.myers@xxxxxxx>
  • Subject: Re: [ga] Apple Still Has Not Patched the DNS Hole
  • From: "Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>
  • Date: Mon, 28 Jul 2008 18:29:49 -0700

Patrick and all,

  Sorry Patrick, but the security hole in DNS/Bind has been known
for years.  And ISC knew it was because I and several people
told and demonstrated many times of this hole in DNS/Bind
back in 2000.  Why wasn't it addressed by ISC than?
So Dan wasn't the first by a long shot in making this and other
security holes in DNS known.  We fixed it in our DNS shortly
after we confirmed it back in 2000.  We named our product
BindPlus and is being used currently by WISE providers sense
2001.

  Incompatance of this sort and magnitude should never be taken
lightly and in my professional opinion, cannot be tolorated at all!

  For further refrence to what I am contending review the
archives at:
http://www.dnso.org/mailinglists.html
In case some are missing due to creative editing, I still have three
archived copies.

Patrick Vande Walle wrote:

> Jeffrey A. Williams wrote:
> > All,
> >
> >   As an example to another thread and for Joe's edification.
> >
> > An article up at TidBITS on  http://db.tidbits.com/article/9706
> > Apple's unexplained failure to patch the DNS vulnerability that we have
> > been  http://it.slashdot.org/article.pl?sid=08/07/25/1334254&tid=172
> > discussing for a
> > http://it.slashdot.org/article.pl?sid=08/07/21/2212227&tid=172
> > few weeks now. "Apple uses the popular Internet Systems
> > Consortium BIND DNS server which was one of the first tools patched,
> > but Apple has yet to include the fixed version in Mac OS X Server,
> > despite
> > being notified of vulnerability details early in the process and being
> > informed of the coordinated patch release date.
> >
> Sometimes, it may be wise to wait:
>
> "The group responsible for maintaining the internet's most popular
> domain name software BIND has admitted it caused problems by
> fast-tracking a security patch designed to fix the widescale DNS flaw
> discovered by researcher Dan Kaminsky this month."
>
> http://www.zdnet.com.au/news/security/soa/DNS-patch-causes-BIND-blunder/0,130061744,339290928,00.htm
>
> Patrick Vande Walle
>
> --
> Patrick Vande Walle
> Check my blog: http://patrick.vande-walle.eu

Regards,

Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx
My Phone: 214-244-4827




<<< Chronological Index >>>    <<< Thread Index >>>